Reversing Java: Part I

Recently I’ve interested in byte code structure of Java and Dalvik. I’ve found some useful tools for playing with them.

Destination Byte Code

Java byte codes are simple to reverse engineering because they compile in run time. i.e. JVM will execute the byte codes in run time, thus Java code is cross platform but executes with more delay than direct compiled machine codes (for example using C++ and gcc).

Compiling from Java Source Code

Reversing Java byte codes are simpler than reversing machine codes. Oracle has a documentation about byte code in Java. In Java each source file (.java file) will be compile to a class file (.class) using the following command:

javac HelloWorld.java

This will create the HelloWorld.class file in the same folder where Java code exists. You may use Java’s default reversing tool (javap) for paying with class files.

We will go through the byte codes step by step. Today we analyze some basic parts:

Magic

As you see, the first bytes are ca fe ba be where java uses CAFE BABE as its magic for declaring class file.

Minor and Major

The next four bytes 00 00 (0 in decimal) and 00 34 (52 in decimal) shows the minor and major versions. I’ve compiled the code with Java SE 8, so you can’t run the code with Java SE 7.

So the minor version in 0 and major version in 52.

Constant Pool

Constant pool is where all the constants used in the class file are stored in it. the next two bytes shows the constant pool size (00 1d = 29 in decimal). The 0th item is for JMV so the items are in constant_pool[1] to constant_pool[28]

Mir Saman

I'm currently an IT PhD. candidate at Urmia University. I'm interested in Social Network Analysis, Big Data Mining, and NLP in my academical field as well as Guitar, Nature, and Android!
View all posts by Mir Saman